Session Management
Session hijacking
An attack in which an attacker attempts to impersonate the user by using their session token which they sniffed out Happens when HTTP is used over HTTPS
What does marking the session cookies as HTTP Only do?
Prevents client code from accessing cookie Helps prevent XSS attacks
web session
a sequence of network HTTP request and response transactions associated to the same user
HTTP
stateless protocol where each request and response pair is independent of other web interactions.
Session fixation attack
Attacker logs into web server and gets a session ID Takes that session ID and uses it in link and sends it to victim Attacker later uses the session ID
What does avoiding setting values for Max-Age and expires do?
Ensures browser will remove cookie when browser is shut down Setting either value causes browser to treat cookies as "persistent" cookie
Session Identifier defense (GLD3)
Generate unique session IDs in a random (un-guessable) order Limit caching of session info through restrictive cache directives Do not reuse session IDs Distinguish btw "session" identifiers generated prior to and after user authentication (Always generate a new identifier after login) Do not expose session IDs in app URLs
Examples of Poor Session Lifecycle Management
Guessable session IDs Not destroying session when session is over Reusing and exposing sessions
Session Lifecycle Management Best Practices (TADA)
Tie audit events to the user session Automatically end/expire sessions after periods of user inactivity Do not allow infinitely-lived sessions (even w. no user activity) Always offer users a "log-out" option (Do not rely on expiry alone and do not assume users know how to close the browser)
cookies
allows the server to identify the user and retrieve the user's session from the session database so that the user's session is maintained Cookie based sessions end when user logs off or closes the browser
session ID/token
binds user authentication credentials (in form of a user session) to the user HTTP traffic and the appropriate access controls enforced by the web application
What does marking the session cookies as Secure do?
instructs browser to send cookie with HTTPS requests only prevents eavesdropping
best practices for cookies
mark session cookies as Secure and HTTP Only Avoid setting values for Max-Age and expires